Commenting update

As some of my visitors have noticed, there have been some problems submitting comments around here. The preview form would remove your carefully input character entities/references, double hyphens were converted to em dashes, etc.

I finally got around to figuring out how to prevent the comment preview from ruining your work. You can still markup your comment with Markdown syntax though.

However, the ever increasing comment spamming has forced me to implement some countermeasures that require your browser to have referrer logging enabled. If you have that turned off, you won’t be able to post comments, something for which I am really sorry. If you can think of a clever workaround that will let legitimate commenters access the commenting scripts while keeping the trash out, please let me know.

Comments

1. January 20, 2005 by Arve

You aren't saying which version of MT you are running, but all my advice needs MT3.0 or above.

  1. I presume you already have MT-Blacklist 2.04 installed? I have found that the moderation is indispensible. If something is spam, it stops in my moderation queue, and it takes me only two clicks to get rid of it.
  2. If you haven't installed it already, I'd suggest trying either mt-dsbl or mt-proxyplug -- both these plugins disable commenting through open proxies of some sort, and the majority of spam is indeed sent through proxies.
  3. Try implementing the Burningbird comment spam quick fix -- basically: Create a hidden form field, with a custom name and a custom value. Check if the submitted forms contain this name-value pair, and if not, return a 403 error.

Myself, I am using only options 1 and 2, and I have not yet have a spam get further than the moderation

2. January 20, 2005 by Arve

BTW, I am being redirected to the wrong URI when commenting. My last submission sent me to #2651 instead of #comment2651.

3. January 21, 2005 by Roger Johansson

Thanks for the tips. I'm still using MT 2.65, so I can't do everything you suggest. I do have MT-Blacklist, and it catches most spam, but not all of it. I'm using option 3, but that only works for a week or so after I change the name-value pair.

By far the most effective thing I've done is the referrer check. Not a single automated spam has even reached MT-Blacklist since I implemented it.

Thanks for informing me of the redirect problem. I hadn't even noticed. I'll try to fix that ASAP.

4. January 21, 2005 by Mark Wubben

Roger, perhaps you could make the posting guidelines a fold out area or something like that. When looking for new comments I usually go to the bottom of the page, but then the guidelines are in the way from seeing the latest comment.

5. January 21, 2005 by Arve

Thanks for the tips. I'm still using MT 2.65, so I can't do everything you suggest.

Let me just say that the $99.95 I spent on MT3 was the best $99.95 I have spent on weblogging. Not only for blacklist and mt-dsbl, but because MT3 has a far more usable interface.

6. January 21, 2005 by Roger Johansson

Mark: I'll look into doing that.

Arve: Yeah upgrading would probably be a good idea. I'm still on 2.65 because I read about a lot of people having problems with early releases of MT 3, and right now I don't have the time for anything but a smooth and hassle-free upgrade.

7. January 21, 2005 by Arve

I had no problems whatsoever when I installed 3.14. From earlier experiences with hassle-free updates, I use the following approach:

  1. I always download both the full version and the upgrade version.
  2. I always run mt-check.cgi from the new version prior to installation. Also run mt-testbg.cgi to check if you can run background tasks.
  3. I uninstalled MT-Blacklist.
  4. I then install the full version instead of the upgrade, to ensure that everything in the lib and extlib directories are the current versions.
  5. Modify mt.cfg as needed: There are a few new options, mainly to run background tasks and enable TypeKey authentication. Looking at the default config file that came with the full install should give out enough clues as to what you need to add to your old mt.cfg
  6. I copy the required upgrade scripts from the upgrade download, and run them. You will have to run both mt-upgrade
  7. Prior to upgrading to Movable Type 3.14, I had a somewhat hacked version of MT2.65; in particular using Sean Willson's mt-rebuild type mod. Since the MT Rebuild type mod changed what in MT3.14 is known as "Rebuild this template automatically when rebuilding index templates" to "No", I had to set this for the various rebuild templates.
  8. Install the new MT-Blacklist. Install mt-dsbl
  9. Set up the cron job for Movable Type. This ensures that the blacklist stays up to date.
  10. You might also want to create your own templates for the new default templates, in particular the "Comment pending" template. (I haven't actually performed this step myself)
8. January 21, 2005 by Roger Johansson

Arve: Thanks for the step-by-step instructions. I'll give it a shot when I feel I have a day to spare just in case something goes wrong - hopefully in a couple of weeks or so.

9. February 9, 2005 by Patrys

As for comment spam, the following scheme seems to be working flawlessly for me for a long time: a live example.

It basically makes sure noone ever tries to bypass the preview box by calculating a simple hash for entered data and sending it along with the preview form. If the hash does not match the values entered, the user is being sent back to the preview form.

It was implemented in PHP and the example reference linked above uses a very simple hashing mechanism. For real use you should also hash stuff like current number of comments or current blog post ID.

Sorry, comments are closed for this post.

Information, sponsorship, and externals

About the author

Roger Johansson is a Swedish web professional specialising in web standards, accessibility, and usability. More about me and this site.

Subscribe

Looking for web hosting?

Try DreamHost!

Use the promo code 456BEREASTREET3 to save USD 20 when you sign up!

Latest articles

Validation statistics from Nikita the Spider Comments off
An analysis of the sites crawled by the bulk validation tool Nikita the Spider during March 2008.
Authentic Jobs API and Affiliates program Comments off
The Authentic Jobs job listing service now has a public API and an affiliate program.
What does Acid3 mean to you and me? Comments off
Opera and Apple have announced that their web browsers pass the Acid3 Browser Test, but how will that help web designers and developers?
Designing Web Navigation (Book review) Comments off
Learn the fundamentals of navigation design and design better navigation systems for large and small sites as well as for web based applications.
DOMAssistant bundle for TextMate Comments off
To save keystrokes and speed up development I have created a DOMAssistant bundle for TextMate.
First impressions of Internet Explorer 8 Beta 1 Comments off
My impressions after trying out Internet Explorer 8 Beta 1 for a couple of days.

More articles

Favourites, here and elsewhere

Affiliation

  • NetRelations
  • Kaffesnobben
  • Dagens recept
  • 9rules network member

Support this site

Show your support by buying a book or two from SitePoint or getting me something from my Amazon Wish List.